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Monge, Elaine (SCA) 


^—r^From: 

Sent: 

To: 

Cc: 

Subject: 

Attachments: 


Lucas, Stephanie A. <slucas@ bakerlaw.com > 

Friday, August 31, 2018 5:51 PM 
Breaches, Data (SCA) 

Kitchen, David E. 

Notification Regarding Security Incident for Posternak Blankstein & Lund, LLP 
PBL Notification_MA Attorney General Office 8-31-18.pdf 


Hello, 

Please find the notification letter and letter sample sent to the Attorney General on August 31, 2018 for Posternak 
Blankstein & Lund, LLP's recent security incident. 


Stephanie Lucas 

Associate 


BakerHostetier 

11601 Wilshire Boulevard | Suite 1400 
Los Angeles, CA 90025-0509 
T+1.310.442.8847 


slucas@bakerlaw.com 

bakerlaw.com 



This email is intended only for the use of the party to which it is 
addressed and may contain information that is privileged, 
confidential, or protected by law. If you are not the intended 
recipient you are hereby notified that any dissemination, copying 
or distribution of this email or its contents is strictly prohibited. 

If you have received this message in error, please notify us immediately 
by replying to the message and deleting it from your computer. 

Any tax advice in this email is for information purposes only. The content, 
of this email is limited to the matters specifically addressed herein 
and may not contain a full description of all relevant facts or a 
complete analysis of all relevant issues or authorities. 

Internet communications are not assured to be secure or clear of 
inaccuracies as information could be intercepted, corrupted, tost 
destroyed, arrive late or incomplete, or contain viruses. Therefore, 
we do not accept responsibility for any errors or omissions that are 
present in this email, or any attachment, that have arisen as a result 
of e-mail transmission. 
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Baker&HostetlerLLP 

Key Tower 

127 Public Square. Suite 2000 
Cleveland, OH 44114-1214 

T 216.621.0200 
F 216.696.0740 

August 31, 2018 www.bakerlaw.com 

David E. Kitchen 
direct dial: 216.861.7060 
dkitclicn@bakcrlaw.cora 

Via Email flData.Bixacfaes@state.ma.us) 

Via Overnight Mail 

Attorney General Maura Healey 
Office of the Attorney General 
One Ashburton Place 
Boston, Massachusetts 02108 

Re: Incident Notification 


Attorney General Healey: 

I am writing on behalf of our client, Posternalc Blankstein & Lund, LLP (“Postemak”), to 
notify you of a security incident involving Massachusetts residents. 

On June 29, 2018, Postemak learned through a forensic investigation into a phishing 
incident, that an unknown individual had gained access to a Postemak employee’s email account. 
On July 30, 2018, Postemak learned the identities of the individuals whose personal information 
was in the employee’s email account and what information may have been affected. Although, to 
date, Postemak does not know if any sensitive personal information was accessed without 
permission, it is providing notification to potentially affected individuals out of an abundance of 
caution. The information that could have been accessed in the employee’s account includes the 
individuals’ name and one or more of the following data elements for 134 Massachusetts 
residents: Social Security number, driver’s license number, payment card information including 
card number, expiration date, and card verification value, and financial account and routing 
number. 

On August 31, 2018, Postemak will begin mailing written notifications to potentially 
affected individuals. These individuals include 134 Massachusetts residents who are being 
notified of the incident in writing in accordance with Mass. Gen, Laws. Ch, 93H § 3(b) in 
substantially the same fo rm as the enclosed letter. Posternalc is offering eligible individuals a 
complimentary one-year membership in credit monitoring and identity theft protection services 
through Experian, Postemak has provided a telephone number for potentially affected 
individuals to call with any questions they may have. 

Atlanta Chicago Cincinnati Cleveland Columbus Costa Mesa Denver 

Houston Los Angeles New York Orlando Philadelphia Seattle Washington, DC 
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On August 31, 2018, Postemak will, also begin notifying third parties that provided 
Postemak with data relating to additional individuals whose information may have been affected 
by this incident. Postemak is offering to provide notification services, call center services, and 
required regulator notifications, on behalf of these t hir d parties. Postemak will also offer eligible 
individuals a complimentary one-year membership in credit monitoring and identity theft 
protection services through Experian. If any party accepts Posternak’s offer with respect to a 
Massachusetts resident, Postemak will submit a supplemental regulatory notice to tins office. 

To help prevent something like this from happening in the future, Postemak has taken 
steps to enhance its existing network and email security, including providing continued training 
to their employees on data security and the dangers of phishing emails. 

Please do not hesitate to contact me if you have any questions regarding this matter. 


Sincerely, 

£. - 

David E. Kitchen 
Partner 

Enclosure 

cc ; Director of the Office of Consumer Affairs and Business Regulation 










Postern 


POSTRIIAK |JI.AN)(S?t.l'V ?. uiNO UP 


Return Mail Processing Center 
P.O.Box 6336 
Portland, OR 97228-6336 


August 31, 2018 


Dear; 


Postemak Blankstein & Lund LLP understands the importance of protecting individuals’ personal information. We 
are writing to inform you that we recently identified and addressed a security incident that may have involved your 
information, including your name and Social Security number. 

We encourage you to remain vigilant by reviewing your account statements for any unauthorized activity. You should 
also review the additional information on the following pages on ways to protect yourself. We have arranged for you to 
receive a complimentary one-year membership ofExperian’s® IdentityWorks SM Credit 3B. This product helps detect possible 
misuse of your personal information and provides you with identity protection services focused on immediate identification 
and resolution of identity theft. IdentityWorks SM Credit 3B is completely free to you and enrolling in this program will not 
hurt your credit score. For more information on identity theft prevention and IdentityWorks SM Credit 3B, including 
instructions on how to activate your complimentary one-year membership, please see the additional information provided in 
this letter. 

We take the security of individuals’ personal information very seriously. If you have questions, please call at 877- 
588-5667, Monday through Friday between 9:00 am and 9:00 pm Eastern Time. 


Sincerely, 



Adam J, Ruttenberg, Partner 
Postemak Blankstein & Lund LLP 
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Activate IdentityWorks Credit 3B Now in Three Easy Steps 

If you believe there was fraudulent use of your information and would like to discuss how you may be able to resolve those 
issues, please reach out to an Experian agent. If, after discussing your situation with an agent, it is determined that identity 
restoration support is needed then an Experian Identity Restoration agent is available to work with you to investigate and 
resolve each incident of fraud that occurred (including, as appropriate, helping you with contacting credit grantors to dispute 
charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and 
assisting you with contacting government agencies to help restore your identity to its proper condition). 

Please note that this offer is available to you for one year from the date of this letter and does not require any action on your 
part at this time. The Terms and Conditions for this offer are located at www.ExperianDDWorks.com/restoration. You will 
also find self-help tips and information about identity protection at this site. 

While Identity Restoration assistance is immediately available to you , we also encourage you to activate the fraud detection 
tools available through Experian IdentityWorks SM as a complimentary one year- membership. This product provides you with 
identity detection and resolution of identity theft. To staid monitoring your personal information please follow the steps below: 

• Ensure that you enroll by: 11/30/2018 (Your code will not work after this date.) 

• Visit the Experian IdentityWorks website to enroll: www.experianidworks.com/3bcredit 

• Provide your activation code: HHHHI 

If you have questions about the product, need assistance with identity restoration or would like an alternative to enrolling in 
Experian IdentityWorks online, please contact Experian’s customer care team at 877-890-9332 by 11/30/2018. Be prepared 
to provide engagement number^UHN 38 P 100 ^ °f eligibility for the identity restoration services by Experian. 

ADDITIONAL DETAILS REGARDING YOUR 12-MONTH EXPERIAN IDENTITYWORKS MEMBERSHIP: 

A credit card is not required for enrollment in Experian IdentityWorks, 

You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll 
in Experian IdentityWorks: 

■ Experian credit report at signup: See what information is associated with your credit file. Daily credit reports are 
available for online members only.* 

■ Credit Monitoring: Actively monitors Experian, Equifax and Transunion files for indicators of fraud. 

■ Identity Restoration: Identity Restoration specialists are immediately available to help you address credit and non¬ 
credit related fraud, 

* Experian IdentityWorks ExtendCARE™: You receive the same high-level of Identify Restoration support even 
after your Experian IdentityWorks membership has expired. 

■ SI Million Identity Theft Insurance**: Provides coverage for certain costs and unauthorized electronic fund 
transfers. 

What you can do to protect your information: There are additional actions you can consider taking to reduce the chances 
of identity theft or fraud on your accounts). Please refer to www.ExperianIDWorks.com/restoration for this information. 

* Offline members will be eligible to call for additional reports quarterly after enrolling 

** Identity theft insurance is underwritten by insurance company subsidiaries or affiliates of American International Group, Inc. (AIG). The 
description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the 
policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all 
jurisdictions 
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MORE INFORMATION ON WAYS TO PROTECT YOURSELF 


It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements 
and credit reports for any unauthorized activity. You should immediately report any unauthorized charges to 
your card issuer because payment card rules generally provide that cardholders are not responsible for 
unauthorized charges reported in a timely maimer. You may obtain a copy of your credit report, free of charge, 
once every 12 months from each of the three nationwide credit reporting companies. To order your annual free 
credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information 
for the three nationwide credit reporting companies is as follows: 

Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com , 1-800-685-1111 
Experian, PO Box 2002, Allen, TX 75013, www.experian.com. 1-888-397-3742 
TransUnion, PO Box 2000, Chester, PA 19016. www.transunion.com. 1-800-916-8800 

If you believe you are the victim of identity theft or have reason to believe your personal information has been 
misused, you should immediately contact the Federal Trade Commission and/or the Massachusetts Office of the 
Attorney General. Contact information for the Federal Trade Commission is as follows: 

Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, 
DC 20580, 1-877-IDTHEFT1438-43381. www.ftc.gov/idtheft 

Contact information for the Massachusetts Office of the Attorney General is as follows: 

Office of the Attorney General, One Ashburton Place, Boston, MA 02108 , 617-727-8400, 
www.mass.gov/aeo/contact-us.html 

You can obtain information from these sources about steps an individual can take to avoid identity theft as well 
as information about fraud alerts and security freezes. You should also contact your local law enforcement 
authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies 
to creditors to correct your records. 

Note that pursuant to Massachusetts law, you have the right to file and obtain a copy of any police report. 

Massachusetts law also allows consumers to request a security freeze. A security freeze prohibits a credit 
reporting agency from releasing any information from your credit report without written authorization. Be aware 
that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of 
any requests you make for new loans, credit mortgages, employment, housing, or other services. 

The fee for placing a security freeze on a credit report is $5.00. If you are a victim of identity theft and submit 
a valid investigative report or complaint with a law enforcement agency, the fee will be waived. In all other 
instances, a credit reporting agency may charge you up to $5.00 each to place, temporarily lift, or permanently 
remove a security freeze. If you have not been a victim of identity theft, you will need to include payment to the 
credit reporting agency to place, lift, or remove a security freeze by check, money order, or credit card. 
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To place a security freeze on your credit report, you must send a written request to each of the three major 
reporting agencies by regular, certified, or overnight mail at the addresses below: 

Equifax Security Freeze, PO Box 105788, Atlanta, GA 30348, www.equifax.com 
Experian Security Freeze, PO Box 9554, Allen, TX 75013, www.experian.com 
TransUnion Security Freeze , PO Box 2000, Chester, PA 19016, www.transunion,com 

In order to request a security freeze, you will need to provide the following information: 

1. Your full name (including middle initial as well as Jr., Sr., II, HI, etc.) 

1. S ocial S ecurity number 

2. Date of birth 

3. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior 
five years 

4. Proof of current address such as a current utility bill or telephone bill 

5. A legible photocopy of a government issued identification card (state driver's license or ID card, military 
identification, etc.) 

6. If you are a victim of identity theft, include a copy of the police report, investigative report, or complaint 
to a law enforcement agency concerning identity theft 

The credit reporting agencies have three (3) business days after receiving your request to place a security freeze 
on your credit report. The credit bureaus must also send written confirmation to you within five (5) business 
days and provide you with a unique personal identification number (“PIN”) or password or both that can be used 
by you to authorize the removal or lifting of the security freeze. 

To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must 
call or send a written request to the credit reporting agencies by mail and include proper identification (name, 
address, and Social Security number) and the PIN number or password provided to you when you placed the 
security freeze as well as the identity of those entities or individuals you would like to receive your credit report 
or the specific period of time you want the credit report available. The credit reporting agencies have three (3) 
business days after receiving your request to lift the security freeze for those identified entities or for the specified 
period of time. 

To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and 
include proper identification (name, address, and Social Security number) and the PIN number or password 
provided to you when you placed the security freeze. The credit bureaus have three (3) business days after 
receiving your request to remove the security freeze. 
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^- FOLD on this line and place In shipping pouch with bar code and delivery address visible 

1. Fold the first printed page in half and use as the shipping label. 

2. Place the label In a waybill pouch and affix it to your shipment so that the barcode portion 
of the label can be read and scanned. 

3. Keep the second page as a receipt for your records. The receipt contains the terms and 
conditions of shipping and information useful for tracking your package. 


Legal Terms and Conditions 

Tendering packages by using this system constitutes your agreement to the service conditions for the transportation of your 
shipments as found in the applicable FedEx Service Guide, available upon request. FedEx will not be responsible for any claim 
In excess of the applicable declared value, whether the result of loss, damage, delay, non-delivery, misdelivery, or 
misinformation, unless you declare a higher value, pay an additional charge, document your actual loss and file a timely claim. 
Limitations found In the applicable FedEx Service Guide apply. Your right to recover from FedEx for any loss, Including intrinsic 
value of the package, loss of sales, income interest, profit, attorney's fees, costs, and other forms of damage whether direct, 
incidental, consequential, or special is limited to the greater of 100 USD or the authorized declared value. Recovery cannot 
exceed actual documented loss. Maximum for items of extraordinary value is 500 USD, e.g. jewelry, precious metals, negotiable 
Instruments and other items listed in our Service Guide, Written claims must be filed within strict time limits, see applicable 
FedEx Service Guide. FedEx will not be liable for loss or damage fo prohibited items in any event or for your acts or omissions, 
including, without limitation, improper or insufficient packaging, securing, marking or addressing, or the acts or omissions of the 
recipient or anyone else with an interest in the package. See the applicable FedEx Service Guide for complete terms and 
conditions. To obtain information regarding how to file a claim or to obtain a Service Guide, please call 1-800-GO-FEDEX 
(1-800-463-3339). 


https;//cIoud.psship.com/index.php 
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